Mobile Biometrics: The Next Phase of Enterprise Authentication?

Smartphones and tablets equipped with fingerprint readers or other biometric hardware have the potential to drive greater adoption of biometric authentication in the enterprise—if we can get the hardware, software and business processes right.

Smartphones and tablets have the potential to become powerful platforms for enterprise authentication. By combining biometric capabilities such as a fingerprint reader or voice recognition software with mobile devices that users carry with them all the time, enterprises may be able to roll out two-factor authentication as part of an identity and access management (IAM) infrastructure.

While mobile biometrics are still a work in progress, there are multiple potential uses within the enterprise, including granting access to locked-down "containers" of enterprise data or applications stored on the device, requiring on-device biometric scans to authenticate the user to the enterprise network and applications, and possibly even granting physical access to buildings and rooms.

These are intriguing use cases, but significant work still has to be done to make them a reality. Given the current capabilities of most mobile device hardware today, touch-based biometric inputs like fingerprint recognition will require new hardware to offer enterprise-class fingerprint recognition, says Troy Potter, VP of identity solutions for Unisys.

At the moment, there are very few phones out on the market today that actually have onboard biometrics hardware built into the device. They do exist, however--the Motorola ATRIX includes a fingerprint recognition feature that unlocks the phone for an authorized user.

But existing hardware such as the microphone and the camera could be used by special software that taps into these capabilities.

"There are so many potential inputs--capacitive screens, microphones, cameras, accelerometers, you name it," says Beau Woods, founder of Stratigos Security, a security consultancy based in Atlanta. "And [these devices] have enough processing power to do more advanced pattern matching, too."

Unisys's Potter agrees. "I think where it's actually good is in facial recognition or voice recognition," he says, "where it's already built into the phone itself as far as being able to take high res photos or record audio."

Tying that hardware capability into a meaningful scanning system that can recognize facial or voice characteristics and use it to authenticate may well be within the mien of existing devices. This fall a San Jose, Calif.-based company called EyeVerify introduced an "eyeprint" product meant to verify user identities tagged to unique eye vein patterns. The software product takes advantage of existing camera inputs on mobile devices to perform the scan.

There are also indications that major players may be getting in on the act. This summer, Apple spent $356 million to acquire biometrics hardware manufacturer AuthenTec, a purchase that some pundits speculated was for potential addition of AuthenTec fingerprint readers to iPhones and iPads. Just prior to the acquisition, AuthenTec inked a deal with Samsung to build fingerprint readers into an upcoming generation of its Android smartphones. It's still unclear what the acquisition means for this deal, but it's evident from AuthenTec's activities that built-in biometrics hardware may be on the not-so-distant horizon.

But simply introducing nifty biometrics mechanisms on mobile devices is only one part of the equation. Software and business processes also need to be in place for security assurance to be eligible for wide-scale enterprise adoption. Some security pros remain wary.

"Biometrics on mobile devices will be a non-starter due to the mismatch between the cost and capabilities of consumer-grade hardware for biometrics and the needs for security and reliability for enterprises," says Phil Lieberman, president of Lieberman Software. "The management of biometric data is a nightmare due to lack of standardization as well as the secure storage and secure retrieval/verification in a mobile setting."

But Darren Platt, CTO of Symplified, an identity management provider, says that it all depends on the use case and the specific asset being accessed by a device.

"There are certain scenarios that require a high degree of assurance and will therefore never be able to leverage BYOD because of concerns about the integrity of unmanaged client devices," he says. "There are, however, many other scenarios that will." The real key will be in how well consumer device providers enable federated authentication protocols like SAML or OAuth.

"Done right, this will allow carriers to provide authentication to apps and services provided by third parties," he says.